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Memorandum of Understanding between the Information 
Commissioner and the Global Cyber Alliance 


Introduction 


1. This Memorandum of Understanding (MoU) establishes a 
framework for cooperation and information sharing between the 
Information Commissioner ("the Commissioner") and the Global 
Cyber Alliance ("the GCA"), collectively referred to as "the 
parties" throughout this document. In particular, it sets out the 
broad principles of collaboration and the legal framework 
governing the sharing of relevant information and intelligence 
between the parties. The shared aims of this MoU are to enable 
closer working between the parties, including the exchange of 
relevant and appropriate information, so as to assist them in 
discharging their mutual goal to reduce UK cybercrime, reduce 
Cyber risk and improve cyber security. 


2. This MoU is a statement of intent that does not give rise to legally 
binding obligations on the part of either the Commissioner or the 
GCA. The parties have determined that they do not need to 
exchange personal data to discharge their responsibilities or their 
mutual goals and therefore a separate data sharing agreement is 
not necessary. 


SCOPE OF COLLABORATI ON 


3. The Parties will collaborate in accordance with this MOU. For this 
purpose, the parties may jointly identify one or more areas or 
initiatives for cooperation. Such cooperation may include: 


(a) sharing of aggregated breach report data from cyber 
incidents, including where appropriate related to cybercrime 
and fraud; 

(b) sharing and exchange of information and intelligence which 
enhances the ability to identify cyber threats and trends; 

(c) joint research or studies to improve each parties or the 
broader partnerships understanding of the cyber landscape 
including it's size, actor operating therein and business 
models; and 
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(d) any other areas of cooperation as mutually decided upon by 
the Parties. 


The role and function of the Information Commissioner 


4. The Commissioner is a corporation sole appointed by Her Majesty 
the Queen under the General Data Protection Regulation and the 
Data Protection Act 2018 to act as the UK's independent regulator 
to uphold information rights in the public interest, promote 
openness by public bodies and data privacy for individuals. 


5. The Commissioner is empowered to take a range of regulatory 
action for breaches of the following legislation: 


e Data Protection Act 2018 (DPA); 
e General Data Protection Regulation (GDPR); 


e Privacy and Electronic Communications (EC Directive) 
Regulations 2003 (PECR); 


e Freedom of Information Act 2000 (FOIA); 
e Environmental Information Regulations 2004 (EIR); 


e Environmental Protection Public Sector Information 
Regulations 2009 (INSPIRE Regulations); 


e Investigatory Powers Act 2016; 
e Re-use of Public Sector Information Regulations 2015; 
e Enterprise Act 2002; 


e Security of Network and Information Systems Directive (NIS 
Directive); and 


e Electronic Identification, Authentication and Trust Services 
Regulation (el DAS). 


6. Article 57 of the GDPR and Section 115(2)(a) of the DPA 2018 
place a broad range of statutory duties on the Commissioner, 
including monitoring and enforcement of the GDPR, promotion of 
good practice and adherence to the data protection obligations by 
those who process personal data. These duties sit alongside those 
relating to the other enforcement regimes outlined in paragraph 4 
above. 
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7. The Commissioner’s regulatory and enforcement powers include: 


conducting assessments of compliance with the DPA, GDPR, 
PECR, elDAS, the NIS Directive, FOIA and EIR; 


issuing information notices requiring individuals, controllers or 
processors to provide information in relation to an 
investigation; 


issuing enforcement notices, warnings, reprimands, practice 
recommendations and other orders requiring specific actions 
by an individual or organisation to resolve breaches (including 
potential breaches) of data protection legislation and other 
information rights obligations; 


administering fines by way of penalty notices in the 
circumstances set out in section 155 of the DPA; 


administering fixed penalties for failing to meet specific 
obligations (such as failing to pay the relevant fee to the 
Commissioner); 


issuing decision notices detailing the outcome of an 
investigation under FOIA or EIR; 


certifying contempt of court should an authority fail to comply 
with an information notice, decision notice or enforcement 
notice under FOIA or EIR; and 


prosecuting criminal offences before the Courts. 


8. Regulation 31 of PECR, as amended by the Privacy and Electronic 
Communications (EC Directive) (Amendment) Regulations 2011, 
also provides the Commissioner with the power to serve 
enforcement notices and issue monetary penalty notices as above 
to organisations which breach PECR. This includes, but is not limited 
to, breaches in the form of unsolicited marketing which falls within 
the ambit of PECR, including automated telephone calls made 
without consent, live telephone calls which have not been screened 
against the Telephone Preference Service, and unsolicited electronic 
messages (Regulations 19, 21 and 22 of PECR respectively). 
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The role and function of the Global Cyber Alliance 


9. The GCA is an international cross sector effort dedicated to 
reducing cyber risk and improving our connected world. GCA 
achieves this by uniting global communities, implementing 
concrete solutions and measuring the effect. The GCA was 
founded by a global law enforcement partnership consisting of the 
City of London Police, New York County District Attorney's Office 
and the entity responsible for assisting all state local tribes and 
territories for monitoring for cyberattacks in the US, the Center for 
Information Security. 


Purpose of information sharing 


10. 


11. 


The purpose of the MoU is to enable the parties to share relevant 
information which enhances their ability to exercise their respective 
functions. 


This MoU should not be interpreted as imposing a requirement on 
either party to disclose information in circumstances where doing so 
would breach their statutory responsibilities. In particular, each 
party must ensure that any disclosure of information pursuant to 
these arrangements fully complies with both the GDPR and DPA 
2018. Personal data will not be shared pursuant to this agreement. 
The MoU sets out the potential legal basis for information sharing, 
but it is for each party to determine for themselves that any 
proposed disclosure is compliant with the law. 


Principles of cooperation and sharing 


12. 


13. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at her discretion, 
the GCA will attempt to develop mechanisms for the sharing of 
information that will assist the Commissioner in the execution of her 
statutory functions, within the context of this relationship, 
discovered whilst undertaking the GCA's duties, and provide 
relevant and necessary supporting information if possible and 
practicable. 


Subject to any legal restrictions on the disclosure of information, 
the Commissioner will, at her discretion, share with the GCA 
information which falls within the scope of the GCA within the 
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14. 


15. 


context of this relationship and provide relevant and necessary 
supporting information. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at their discretion, 


the parties will: 


e Communicate regularly to discuss matters of mutual interest 
(this may involve participating in multi-agency groups to 
address common issues and threats); and 


e Consult one another on any issues which might have 
significant implications for the other organisation. 


The parties will comply with the general laws they are subject to, 
including, but not limited to, local data protection laws; the 
maintenance of any prescribed documentation and policies; and 
comply with any governance requirements in particular relating to 
security and retention. 


Lawful basis for sharing information 


Information shared by the GCA with the Commissioner 


16. 


17. 


18. 


The GCA, during the course of its activities, will receive 
information from a range of sources, including personal data. The 
GCA will process all personal data in accordance with the 
principles of the GDPR, the DPA 2018 and the legislative 
framework in relation to health and social care information. 


The Commissioner's statutory function relates to the legislation 
set out at paragraph 4, and this MoU governs information shared 
by the GCA to assist the Commissioner to meet those 
responsibilities. It must also ensure that sharing the information in 
question is consistent with its legal powers. 


Section 131 of the Data Protection Act 2018 may provide both the 
lawful basis, from a data protection perspective, and the legal 
power for the GCA to share information with the Commissioner. 
Under this particular provision, the GCA is not prohibited or 
restricted from disclosing information to the Commissioner by any 
other enactment or rule of law provided it is "information 
necessary for the discharge of the Commissioner's functions". 
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Information shared by the Commissioner with the GCA 


19. 


20. 


21. 


The Commissioner, during the course of her activities, will receive 
information from a range of sources, including personal data. She 
will process all personal data in accordance with the principles of 
the GDPR, the DPA 2018 and all other applicable legislation. The 
Commissioner may identify that information she holds, which may 
include personal data, ought to be shared with the GCA as it 
would assist her in performing her functions and responsibilities. 


Section 132(1) of the DPA 2018 states that the Commissioner can 
only share confidential information with others if there is lawful 
authority to do so. In this context, the information will be 
considered confidential if has been obtained by, or provided to, 
the Commissioner in the course of, or for the purposes of, 
discharging her functions and it relates to an identifiable individual 
or business, and is not otherwise available to the public from 
other sources. This therefore includes, but is not limited to, 
personal data. Section 132(2) of the DPA 2018 sets out the 
circumstances in which the Commissioner will have the lawful 
authority to share that personal data with the GCA. In particular, 
it will be lawful in circumstances where: 


e The sharing was necessary for the purpose of the 
Commissioner discharging her functions (section 132(2)(c)); 


e The sharing was made for the purposes of criminal or civil 
proceedings, however arising (section 132(2)(e)); or 


e The sharing was necessary in the public interest, taking into 
account the rights, freedoms and legitimate interests of any 
person (section 132(2)(f)). 


The Commissioner will therefore be permitted to share information 
with the GCA in circumstances where she has determined that it is 
reasonably necessary to do so in furtherance of one of those 
grounds outlined at paragraph 22. In doing so, the Commissioner 
will identify the function of the GCA with which that information 
may assist, and assess whether that function could reasonably be 
achieved without access to the particular information in question. 
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22. If information to be disclosed by the Commissioner was received 
by her in the course of discharging her functions as a designated 
enforcer under the Enterprise Act 2002, any disclosure shall be 
made in accordance with the restrictions set out in Part 9 of that 
Act. 


23. Where information is to be disclosed by either party for law 
enforcement purposes under section 35(4) or (5) of the DPA 2018 
then they will only do so in accordance with an appropriate policy 
document as outlined by section 42 of the DPA. 


24. Where a request for information is received by either party under 
data protection laws, FOIA or EIR, and where the information 
being sought under that request includes information obtained 
from, or shared by, the other party, the recipient of the request 
will seek the views of the other party. In particular, the receiving 
party will have regard to the FOIA section 45 Code of Practice 
and/or the EIR Regulation 16 Code of Practice, as appropriate. 
However the decision to disclose or withhold the information (and 
therefore any liability arising out of that decision) remains with 
the party in receipt of the request as Controller in respect of that 
data. 


Method of exchange 


25. Appropriate security measures shall be agreed to protect 
information transfers in accordance with the sensitivity of the 
information and any classification that is applied by the sender. 


Confidentiality and data breach reporting 


26. Where confidential material is shared between the parties it will be 
marked with the appropriate security classification. 


27. Where one party has received information from the other, it will 
consult with the other party before passing the information to a 
third party or using the information in an enforcement proceeding 
or court case. 


28. Where confidential material obtained from, or shared by, the 
originating party is wrongfully disclosed by the party holding the 
information, this party will bring this to the attention of the 
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originating party without delay. This is in addition to obligations to 
report a personal data breach under the GDPR and/or DPA where 
personal data is contained in the information disclosed. 


Duration and review of the MoU 


29. 


30. 


31. 


The parties will monitor the operation of this MoU and will review 


it biennially. 


Any minor changes to this memorandum identified between 
reviews may be agreed in writing between the parties. 


Any issues arising in relation to this memorandum will be notified 
to the point of contact for each organisation. 


Key contacts 


32. 


33, 


34. 


The parties have both identified a key person who is responsible 


for managing this MoU: 


I nformation Commissioner's 
Office 


James Dipple Johnstone, Deputy 
Information Commissioner 


Global Cyber Alliance 


Andy Bates, Executive Director 


Those individuals will maintain an open dialogue between each 
other in order to ensure that the MoU remains effective and fit for 
purpose. They will also seek to identify any difficulties in the 
working relationship, and proactively seek to minimise the same. 


Signatories 


m 


Date: 02 December 2020 


Date: 13 October 2020 
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